1. A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

2. What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network

3. What does a mix network do? message 2 Key property: We can’t tell which ciphertext corresponds to a given message ?

4. Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice

5. From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail

6. Another application: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1

7. A look under the hood

8. Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3

9. Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]

10. Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1

11. Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved

12. Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?

13. What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of failure is called robustness Solution idea: Share key among others

14. ballot BUSH What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly Proof may be digitally signed and carried along with ciphertexts

15. Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1

16. History of Robust Mixing u Park, Itoh, Kurosawa (EC ‘93) u Ogata, Kurosawa, Sako, Takatani (ICICS ‘97) u Abe (EC ‘98) u Jakobsson (EC ‘98) u Desmedt and Kurosawa (EC ‘00)

17. History of Robust Mixing u Jakobsson “Flash Mix” (PODC ‘99) –Secure only for large input sizes –Idea: Employ “dummy” inputs to check correctness u Mitomo and Kurosawa (AC ‘00) –Repair weakness in Jakobsson ‘99

18. Publicly verifiable mixing u Idea: Ensure that proofs are legitimate even if all servers try to cheat u Abe (AC ‘99), Jakobsson and Juels (DIMACS-TR ‘99) –Idea: Use “swap” as atomic unit; prove correctness of “swap” –Efficient only on small input sizes u Sako (Crypto ‘01) (renamed “shuffling”) u Neff (ACM CCS ‘01)

19. Hybrid mixing u Idea: Use symmetric and asymmetric crypto to achieve efficiency on long messages u Ohkuba and Abe (AC ‘00) u Jakobsson and Juels (PODC ‘01)

20. Asynchronous mixing Alice Preserves traffic routing privacy Examples: Crowds (AT&T), ZK Systems, CIA, etc. Ecoterrorism server U.S. England Finland Mix network ?

21. Some other applications of mixes u Anonymous payment schemes u Secure multiparty computation u Privacy-preserving content retrieval (A weak but efficient form of PIR)

22. What properties are desirable for voting? u Privacy: YES u Robustness: YES u Long messages: NO u Public verifiability: MAYBE –NO: Jakobsson’s “Flash Mix” (for large mixes) –YES: Mix by Neff

23. Can we improve with different modeling? u Voter can collaborate with server to change vote in mid-mix -- prior to seeing other votes –“Beauty flaw” in JJ ‘01 u Very efficient asymmetric mix can probably be designed if we accept this “flaw” u What other modeling changes are permissible?

24. Questions?